"

Error: “Your configuration container audit settings may prevent the ‘Who Changed’ field from being reported correctly”

Last review: May 05, 2014
https://kb.netwrix.com/1251
Copy Article URL Copied
  • The Change Summary and the Netwrix Auditor System Health log (Netwrix Auditor log in 6.5 or warning.txt file in 5.0) contain the following warning message:  “Your configuration container audit settings may prevent the ‘Who  Changed’ field from being reported correctly”.
  • Who Changed” field contains the “System” value.

Object-level auditing of the Active Directory Configuration container is not configured for monitoring all possible changes made to Active Directory by any user.

To monitor all possible changes made to Active Directory by any user, you must make sure that auditing of containers is configured properly. To do this, perform the following steps:
  1. Navigate to Start –> Programs –> Administrative Tools –> ADSI Edit.
  2. Right-click the ADSI Edit node and select Connect To. In the Connection Settings dialogue, enable Select a well-known Naming Context and select Configuration from the drop-down list.
  3. Expand the Configuration<Your_Root_Domain_Name> node. Right-click the CN=Configuration, DC=<name>,DC=<name>… node and select Properties.
  4. In the dialogue that opens, select the Security tab and click Advanced. In the Advanced Security Settings for Configuration dialogue, open the Auditing tab.
  5. Do one of the following, depending on the OS:
    • Pre-Windows Server 2012 versions:
      1. Click Add.  In the Select user, Computer, Service account, or Group dialogue, type “Everyone” in the Enter the object name to select field.
      2. In the Audit Entry dialogue that opens, set the “Successful” parameter for all access entries except the following: Full Control, List Contents, Read All Properties and Read Permissions.
      3. Make sure that the  Apply these auditing entries to objects and/or containers within this container only check-box is cleared. Also, make sure that the Apply onto parameter is set to “This object and all descendant objects“.
    • Windows Server 2012:
      1. Click Add. In the Auditing Entry dialogue, click the Select a principal link.
      2. In the Select user, Computer, Service account, or Group dialogue, type “Everyone” in the Enter the object name to select field.
      3. Set Type to “Success” and Applies toThis object and all descendant objects“.
      4. Under Permissions, select all check-boxes except the following: Full Control, List Contents, Read All Properties and Read Permissions.
      5. Scroll to the bottom of the list and make sure that the Only apply these auditing settings to objects and/or containers within this container check-box is cleared.
 Refer to Netwrix Auditor Installation and Configuration Guide for more information.
Go Up